Gootbot: A new post-exploitation implant for lateral movement

Gootloader itself is written in JavaScript and is distributed through black hat search engine optimization (BHSEO) campaigns that involve using compromised websites to inject rogue results into search engines. Gootloader search result poisoning campaigns typically target keywords for business documents specific to different industries.

“Hive0127 typically targets online searches for contracts, legal forms or other business-related documents; for example: ‘Is a closing statement the same as a grand contract?’,” researchers from X-Force explain. “Targets are served a compromised website modified to appear as a legitimate forum at the top of the poisoned search engine results page. Within the forum conversation, the targets are then tricked into downloading an archive file related to their initial search terms, but which actually contains Gootloader.”

From Gootloader to GootBot

Upon execution, Gootloader drops a malicious JavaScript file in an existing folder from the %APPDATA% directory and sets up a scheduled task to ensure its persistent execution at restart. The JavaScript file then executes a PowerShell script that collects basic information about the system and uploads it to ten hard-coded URLs — usually compromised WordPress websites. The script also searches in a loop for additional PowerShell payloads to download and execute from those servers.

In past campaigns, this is the stage where attackers deployed Cobalt Strike or other more advanced payloads. However, the X-Force researchers recently observed a new payload in the form of an obfuscated PowerShell script that reaches out to a single C2 server and waits for additional tasks to execute. They named this payload GootBot since it’s a more lightweight variant of Gootloader itself.

“As a response, GootBot expects a string consisting of a Base64-encoded payload, and the last eight characters being the task name,” the researchers said. “It then decodes the payload and injects it into a simple scriptblock before executing it in a new background job using the ‘Start-Job’ Cmdlet. This allows the PowerShell payload to be run asynchronously and without creating a child process, potentially resulting in less EDR detections.”

What makes GootBot different is that it’s not only deployed on the system where Gootloader was first executed, but also to other systems from the same network. The payloads that GootBot receives are PowerShell scripts used for lateral movement that enumerate network systems and the domain and exfiltrate credentials by dumping the memory of the LSASS process, as well as registry hives such as SAM, SYSTEM, and SECURITY.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button